The Court of Justice of the European Union (CJEU) is due to hear questions concerning the validity of the Safe Harbour regime today, Tuesday 24 March 2015, in Maximillian Schrems v Data Protection Commissioner (Case C-362/14).
As the Safe Harbour regime allows U.S. companies to self-certify that they meet EU data protection rules on the processing of personal data, the case will have important practical implications for companies transferring data to the U.S.
In Schrems v Data Protection Commissioner  IEHC 310, Max Schrems, brought a judicial review challenge asking the Irish High Court to overturn a decision of the Data Protection Commissioner (DPC) refusing to investigate his compliant, on the grounds that it was frivolous and vexatious. He had complained that Snowden revelations demonstrated that there is no effective data protection regime in the U.S, and that the DPC should exercise is statutory power to direct that the transfer of personal data from Facebook Ireland to its parent company (Facebook Inc.) in the US should cease.
The DPC found that as Facebook Inc, had self-certified under the Safe Harbour regime, and the Commission Decision 2000/520/EC found that Safe Harbour provided an adequate level of data protection, there was nothing left for him to investigate.
The DPC refused to exercise his power to suspend the flow of data from Facebook Ireland to Facebook Inc., pursuant to article 3 of the Safe Harbour Decision, on the grounds that none of the specified conditions for doing so applied in this case. Furthermore, the DPC contended that, in view of the fact that the Commission was already engaged in a review of the application of Safe Harbour, it was perfectly lawful and rational to take the view that the applicant’s complaint should be addressed at EU level and not to him.
Judge Hogan concluded that Mr Schrems’ objection was, in reality, to the terms of the Safe Harbour regime, rather than to the manner in which the DPC had applied the regime. Accordingly, he adjourned the High Court proceedings pending the outcome of a reference to the CJEU.
The Irish High Court has asked the CJEU whether the DPC is absolutely bound by the EU Commission’s Safe Habour Decision (in light of the subsequent entry into force of the EU Charter of Fundamental Rights), or whether the DPC may conduct his own investigation of the matter in light of factual developments since the Safe Harbour regime came into effect.
It will be interesting to see how widely these questions will be construed by the CJEU, in particular whether the CJEU will answer the Court’s questions in a narrow way, focussing on the discretion of national Data Protection Authorities to look behind the EU Commission’s Safe Harbour Decision, or whether it will go further and examine the issue of all adequacy-based data transfers out of the EEA.
Judge Hogan highlighted that if the DPC cannot look beyond the EU Commission’s Safe Harbour decision, then it is clear that Mr Schrems’ complaint both before the DPC and in the judicial review proceedings must fail.
The European Court Hearing
Twelve parties (including seven EU member states, the European Commission and the European Parliament, the two main parties in the Irish proceedings (and an ‘amicus curiae’ notice party in those proceedings, Digital Rights Ireland) have submitted written observations to the CJEU. It is expected that additional parties will participate in the oral hearing.
We will be monitoring progress with this case, and will update you in due course.
For further discussion, see my article –Still a ‘safe’ Harbor – Implications of Schrems v DPC.